Google Adds Two-Factor Authentication To Gmail 399
Trailrunner7 writes "Google has introduced a new two-step authentication feature for Gmail users that it says will significantly increase the security of the free mail service. The system enables users to set up a method for obtaining a secret code that will be required, along with a password, to access a Gmail account. The new two-factor authentication system is a voluntary program right now, although it could become mandatory at some point in the future. Gmail, like virtually all other webmail services, has been a frequent target of attacks, both sophisticated and mundane, aimed at hijacking users' accounts. The most famous of these was an attack that was part of the Aurora operation against Google and others, part of which targeted the Gmail accounts of Chinese dissidents."
Direct link to Google's announcement (bypass blog) (Score:4, Informative)
http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html [blogspot.com]
Re:IMAP? (Score:5, Informative)
Read the article. There is a randomly-generated application-specific 16 digit password that is used for things like IMAP and POP3. If someone gets access to that (unlikely, since you would never need to write it down, and Google encrypts IMAP and POP3), they can only access that specific service, and its not going to be the same password you use anywhere else.
Re:What apps? (Score:5, Informative)
There is a "Google Authenticator" application that you install on your phone. It has been out for several months. It requires no cell reception.
Re:Great...what if you're without your phone? (Score:5, Informative)
Re:Android phones already have support (Score:3, Informative)
Re:Great...what if you're without your phone? (Score:4, Informative)
They offer a smart phone app for several platforms that doesn't require Internet access. Just like an RSA keyfob doesn't require Internet access.
Re:Great...what if you're without your phone? (Score:5, Informative)
Do you have access to a landline? Because you can set the account settings to call you via a backup number and have the code read out to you. Or you can print out some backup codes and keep them in your wallet if you choose to do so. Not only that, you have to option to not have to enter a new verification code for 30 days, just your password, so if you brought your laptop along with you, you could have enabled the 30 day grace period. Then, when you go someplace and realize that you do in fact get reception, turn the 30day off. You can even generate a ton of one-time codes for use on public computers! And once you generate the code and copy it down somewhere, you can hide it - and the code can't be retrieved from your account again! And you can revoke them at any time! And if this isn't enough choice for you - you can simply not opt-in. That's right, this is entirely opt-in.